Security

Your data security is our top priority. Learn how CraftRFP protects your confidential business information with enterprise-grade security measures.

Data Encryption

TLS 1.3 encryption in transit and AES-256 encryption at rest protect all your data.

Infrastructure Security

Enterprise-grade cloud infrastructure with WAF, DDoS protection, and network segmentation.

Access Control

Role-based access control, multi-factor authentication, and comprehensive audit logging.

Compliance Ready

Security controls aligned with SOC 2 and ISO 27001 frameworks. GDPR and CCPA ready.

Contents

  1. Data Encryption
  2. Infrastructure Security
  3. Access Control
  4. AI Data Security
  5. Compliance & Certifications
  6. Incident Response
  7. Vulnerability Disclosure
  8. Contact Us
  9. Related Policies

1. Data Encryption

We employ industry-leading encryption standards to protect your data at every stage.

Encryption in Transit

  • TLS 1.3: All data transmitted between your browser and our servers uses the latest TLS 1.3 protocol with strong cipher suites
  • HSTS: HTTP Strict Transport Security ensures all connections use HTTPS, preventing downgrade attacks
  • Certificate Transparency: All our SSL/TLS certificates are logged to public CT logs for accountability

Encryption at Rest

  • AES-256: All stored data, including documents, proposals, and user information, is encrypted using AES-256 encryption
  • Key Management: Encryption keys are managed through secure key management services with automatic rotation
  • Database Encryption: Database-level encryption ensures data remains protected even at the storage layer

2. Infrastructure Security

CraftRFP is built on enterprise-grade cloud infrastructure with multiple layers of security.

Cloud Providers

We partner with industry-leading cloud providers who maintain rigorous security standards:

ProviderServiceSecurity Standards
VercelApplication hostingSOC 2 Type II, ISO 27001
Supabase (AWS)Database & authenticationSOC 2, ISO 27001, HIPAA eligible
Google CloudAI processing (Vertex AI)SOC 2, ISO 27001/27017/27018, FedRAMP

Network Security

  • Web Application Firewall (WAF): Protection against common web vulnerabilities including SQL injection, XSS, and CSRF attacks
  • DDoS Protection: Automatic DDoS mitigation at the network and application layers
  • Network Segmentation: Strict network isolation between different services and customer data
  • Intrusion Detection: Continuous monitoring for suspicious network activity and potential threats

3. Access Control

We implement comprehensive access controls to ensure only authorized users can access your data.

Authentication

  • Secure Password Hashing: Passwords are hashed using bcrypt with appropriate cost factors, never stored in plain text
  • Email Verification: All accounts require email verification to prevent unauthorized account creation
  • Session Management: Secure session tokens with automatic expiration and rotation
  • Rate Limiting: Protection against brute-force attacks on login endpoints

Authorization

  • Row-Level Security (RLS): Database-level policies ensure users can only access their own data
  • Role-Based Access Control (RBAC): Granular permissions for team members based on their role (Owner, Admin, Member)
  • Principle of Least Privilege: Users and services only have access to resources they need
  • Audit Logging: All access and changes are logged for security review and compliance

4. AI Data Security

Zero-Training Guarantee

Your proprietary data is NEVER used to train AI models. Your uploaded proposals, RFP documents, and generated content remain confidential and are not used for model improvement by CraftRFP or our AI providers.

Google Vertex AI Safeguards

CraftRFP utilizes Google Cloud Vertex AI for AI processing, which provides enterprise-grade data protection:

  • No Model Training: Customer data is NOT used by Google to train or improve their models
  • Data Processing Agreement: Enterprise-grade Cloud Data Processing Addendum (CDPA) in place
  • In-Memory Processing: AI providers process data in-memory and do not retain it beyond the API call
  • Data Isolation: Customer data never leaves your project boundary
  • IAM Controls: Strict Identity and Access Management controls enforced via Google Cloud IAM

See Google Cloud's Data Processing Addendum for more details.

5. Compliance & Standards

CraftRFP implements security controls aligned with industry frameworks and is designed to help you meet your compliance obligations.

Privacy Regulations

We support compliance with major privacy regulations:

  • GDPR Ready: Data subject rights, lawful processing, and DPA support for EU customers
  • CCPA/CPRA Ready: Consumer rights and "Do Not Sell" support for California residents
  • PIPEDA Ready: Privacy practices aligned with Canadian requirements
  • US State Laws: Designed to support Virginia, Colorado, Connecticut, and other state privacy laws

Security Frameworks

Our security controls are designed in alignment with industry frameworks:

  • SOC 2 Aligned: Controls designed following Trust Services Criteria for security, availability, and confidentiality
  • ISO 27001 Aligned: Information security management practices following ISO 27001 framework

Infrastructure Provider Certifications

Our infrastructure providers maintain the following certifications:

  • Vercel: SOC 2 Type II, ISO 27001
  • Supabase (AWS): SOC 2, ISO 27001, HIPAA eligible
  • Google Cloud: SOC 2, ISO 27001/27017/27018, FedRAMP

Note: These are certifications held by our infrastructure providers, not CraftRFP directly.

6. Incident Response

We maintain a comprehensive incident response program to quickly identify, contain, and remediate security incidents.

Monitoring & Detection

  • 24/7 Monitoring: Continuous security monitoring and alerting through automated systems
  • Anomaly Detection: Machine learning-based detection of unusual activity patterns
  • Log Analysis: Centralized logging with real-time analysis and correlation

Response Process

  • Escalation Procedures: Defined escalation paths ensure rapid response to security events
  • Incident Classification: Security events are classified by severity for appropriate response
  • Root Cause Analysis: Post-incident reviews to prevent recurrence

Breach Notification

In the unlikely event of a data breach affecting your information, we will notify you within 72 hours in compliance with GDPR and other applicable regulations. Our notification will include the nature of the breach, data affected, steps we are taking, and recommended actions for you.

7. Vulnerability Disclosure

We appreciate the security research community and welcome responsible disclosure of potential vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability, please report it to us responsibly:

Security Team Contact

Email: security@craftrfp.com

What to Include

  • Description of the vulnerability and potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code (if applicable)
  • Your contact information for follow-up

Our Commitment

  • We will acknowledge receipt within 48 hours
  • We will provide regular updates on our investigation
  • We will not take legal action against researchers who follow responsible disclosure practices
  • We will credit researchers (with permission) for valid reports

8. Contact Us

For security-related inquiries or to report a security concern:

CraftRFP Security Team

Email: security@craftrfp.com

For general privacy inquiries: privacy@craftrfp.com